b'                                                            United States Department of State\n                                                            and the Broadcasting Board of Governors\n\n                                                            Office of Inspector General\n\n\n                                                                   JUl   ~52011\n\n\n\nMEMORANDUM\n\nTO: \t            CIO - Susan Swart       \xc2\xa3f1. /~;/ _\n\nFROM: \t          OIG - Harold W. GeiseV\' ~\n\nSUBJECT: \t       Management Letter Related to Review ofDepartment ofState Information\n                 Security Programfor FY 2010 (AUD/IT-11-26)\n\nAttached for your review and action is a copy of the subject report. Williams, Adley &\nCompany, an independent external auditor, at the direction of the Office ofInspector General,\nprepared this management letter. Based on your response, OIG considers Recommendation 1\nclosed. However, please provide your response to the report and information on actions taken or\nplanned for Recommendation 2 within 30 days of the date of this memorandum. Actions taken\nor planned are subject to followup and reporting in accordance with the attached compliance\nresponse information.\n\nOIG incorporated your comments as appropriate within the body of the report and included them\nin their entirety as Appendix A.\n\nOIG appreciates the cooperation and assistance provided by your staff during this audit. If you\nhave any questions, please contact Evelyn R. Klemstine, Assistant Inspector General for Audits,\nat (202) 663-0372 or Jerry Rainwaters, Director, Information Technology Division, at (703) 284\xc2\xad\n1841 or by email at rainwatersJ@state.gov .\n\nAttachments: As stated.\n           (b) (6)\ncc: DS \xc2\xad\n\x0c               UNCLASSIFIED\n\n\n\n\n\n      Management Letter Related to\n      Review of Department of State\nInformation Security Program for FY 2010\n\n\n               AUD/IT-11-26 \n\n                July 2011 \n\n\n\n\n\n        Williams, Adley & Company, LLP \n\n               1250 H Street, NW \n\n                   Suite 1150 \n\n              Washington, DC 20005 \n\n\n\n\n\n               UNCLASSIFIED\n\n\x0c                                             UNCLASSIFIED\n\n\n\n\n\n                           WILLIAMS\n                           ADLEY\n                                                                                  June 14. 2011\n\n\n\n\nOffice of Inspector General\nu.s. Departmenl of Slllie\nWoshington, D.e.\n\nWilliams, Adley & Comp,my, LLI\' (rerem:d 10 II!! "we" in this lelle r). is plellscd 10 provide the\nOnice o[lnspector Generul (010) the management leiter pertaining 10 inlormation security control\nissues that were nOI reported during our FY 20 I 0 review of the Department of State\'s (Department)\nInfOIT1\'l."tion Security I\'roll,.,.rn. We rt:v;""""d the Dep><r1rncn t" " [nrorm ... lion S .....,uri ty ProS""\'Tn " "\nrequired hy the Federal Information Security Management Act and in accordance with Office of\nManagement and Budget and Nntionallnstitute of Standards and Technology regu lations and\nstllndards.\n\nThis review of the additional information security control issues was performed under Contract No.\nSAQMMAI0F2 159, We communicated the rCSl1lts of our review lind the re lated findings and\n......,..,mm\'-\'\'\'<h. , io"" 10 Ihe n <:J, .. rlmenl\'s Oniee of InS!\'(,..,lor n ""cm1.\n\nWe appreciate the cooperation provided by Department persomlel during the review, If you have\nany questions, please contact Ben Nukhavanit, Senior IT Audit Manager, or Hob Fulkerson, IT\nAudit Director. at (202) 37 1\xc2\xb7 1]97.\n\n\n\n\n                                    WILLIAMS. AD LEY & COMPANY\xc2\xb7OC, llP\n                           Management Con.ultantsICertfflud Public Accountanls\n 1250 H Street, NW, Suite 1160 \xe2\x80\xa2 Wash in gton, DC 20006 \xe2\x80\xa2 (202) 371\xc2\xb71397 \xe2\x80\xa2 Fax: (202) 371 \xc2\xb79161\n\n\n\n\n                                          UNCLASSIFIED\n\n\x0c                                       UNCLASSIFIED\n\n\n\n                                    Management Letter\n\nInformation Security Control Issues\n\n       Williams, Adley and Company, LLP (referred to as \xe2\x80\x9cwe\xe2\x80\x9d in this management letter),\nconducted, on behalf of the Office of Inspector General (OIG), an independent evaluation of the\nDepartment of State\xe2\x80\x99s (Department) Information Security Program as required by the Federal\nInformation Security Management Act (FISMA) and in accordance with Office of Management\nand Budget (OMB) and National Institute of Standards and Technology (NIST) regulations and\nstandards.\n\n        In addition to the findings identified in the FY 2010 report Review of Department of State\nInformation Security Program (AUD/IT-11-07, November 2010), we identified two additional\ninformation security weaknesses that require your attention and that are discussed individually\nwithin this report:\n\n   \xef\x82\xb7   Security Training \xe2\x80\x93 Lack of maintenance of classified information nondisclosure\n       agreements.\n   \xef\x82\xb7   Contingency Planning \xe2\x80\x93 Lack of evidence for enterprise-wide Business Impact Analysis\n       (BIA) for Primary Mission Essential Functions (PMEF).\n\n       Although the recommendations to the draft management letter were addressed to the\nBureau of Diplomatic Security (DS), the Bureau of Information Resource Management (IRM)\npresented its \xe2\x80\x9ccoordinated\xe2\x80\x9d response with DS and the Bureau of Administration and provided a\n\xe2\x80\x9cconsolidated reply\xe2\x80\x9d to the recommendations, which is in Appendix A.\n\nBackground\n\n        The FY 2010 report measured the Department\xe2\x80\x99s security program against the standards\ncontained in NIST Federal Information Processing System (FIPS) Publication (Pub) 200,\nMinimum Security Requirements for Federal Information and Information Systems. This\npublication is applicable to all information within the Federal Government and all Federal\ninformation systems and is the basis for the application of the security controls defined in NIST\nSpecial Publication (SP) 800-53, revision 3, Recommended Security Controls for Federal\nInformation Systems. The requirements in FIPS Pub 200 are consistent with those contained in\nsection 8b(3) of Office of Management and Budget (OMB) Circular A-130, Management of\nFederal Information Resources, as analyzed in appendix IV, \xe2\x80\x9cAnalysis of Key Sections,\xe2\x80\x9d of the\ncircular. Supplemental information on OMB Circular A-130 is provided in appendix III of the\ncircular.\n\n       Security control weaknesses directly related to FISMA were provided to the Department\nin OIG\xe2\x80\x99s November 2010 report (AUD/IT-11-07).\n\n\n\n                                                1\n\n                                       UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n\n\nScope and Methodology\n\n       We conducted the review from June through September 2010 and in accordance with\nFISMA, OMB, and NIST guidance. We and OIG believe that the evidence obtained provides a\nreasonable basis for the findings and conclusions represented in this letter.\n\n       We used the following laws, regulations, and policies to evaluate the adequacy of the\ncontrols in place at the Department:\n\n    \xef\x82\xb7   OMB Memorandums M-02-01, M-04-04, M-06-19, and M-10-15.1\n    \xef\x82\xb7   Department policies and procedures.\n    \xef\x82\xb7   Federal laws, regulations, and standards (such as the Computer Security Act of 1987;\n        FISMA; and OMB Circular A-130, appendix III).\n    \xef\x82\xb7   NIST SPs, FIPS Pubs, other applicable NIST publications, and industry best practices.\n\n       The weaknesses we identified and the related recommended corrective actions are as\ndescribed.\n\nLack of Maintenance of Classified Information Nondisclosure Agreements\n\n        The Department did not obtain signed copies of Standard Forms (SF) 312, Classified\nInformation Nondisclosure Agreement, for four of 25 new employees included in our sample for\ntesting. The Foreign Affairs Manual (FAM)2 requires the bureau, post, or unit security officer to\nensure that each new employee signs an SF 312 acknowledging that he or she has read,\nunderstands, and agrees to abide by the Department\xe2\x80\x99s rules for accessing classified information\nat the beginning of employment and before accessing classified information. In addition, NIST\nSP 800-533 requires Federal agencies to obtain from employees \xe2\x80\x9csigned acknowledgement . . .\nindicating that they have read, understand, and agree to abide by the rules of behavior, before\nauthorizing access to information and the information system.\xe2\x80\x9d\n\n        DS determined that SFs 312 were missing for two of the four employees because the\nsecurity officer (from post) had not submitted the forms. For another employee, the position was\ndesignated nonsensitive, which did not require access to classified information. Therefore, no\nbriefing was authorized, and the SF 312 was not signed. DS could not determine why the SF 312\nwas missing for the fourth employee.\n\n       We noted that DS does not have procedures in place to routinely, on a quarterly,\nsemiannual, or annual basis, reconcile the number of new employees hired by the Department\nwith the number of SFs 312 received from all of the bureaus and posts. Additionally, DS does\n\n1\n  OMB Memorandums M-02-01, Guidance for Preparing and Submitting Security Plans of Action and Milestones; \n\nM-04-04, E-Authentication Guidance for Federal Agencies; M-06-19, Reporting Incidents Involving Personally\n\nIdentifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments; \n\nand M-10-15, FY 2010 Reporting Instructions for the Federal Information Security Management Act and Agency\n\nPrivacy Management. \n\n2\n  12 FAM 563.2, \xe2\x80\x9cResponsibilities of Post Security and Unit Officers,\xe2\x80\x9d and 12 FAM 564.1, \xe2\x80\x9cBriefings - Initial.\xe2\x80\x9d \n\n3\n  NIST SP 800-53, rev. 3, PL-4, \xe2\x80\x9cRules of Behavior.\xe2\x80\x9d\n\n                                                        2\n\n                                             UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\nnot have procedures to identify specific employees who have not completed and signed the SFs\n312. (The current process involves manually signing the SFs 312.)\n\n       Without a signed SF 312, the Department has no record that an employee understands\nand has acknowledged the rules of behavior for Federal information and information systems and\nmay not be able to hold an employee accountable for actions that may be contrary to FAM and\nNIST requirements.\n\n       Recommendation 1: We recommend that the Bureau of Diplomatic Security (DS)\n       develop and implement new internal controls to compare and reconcile, on a quarterly,\n       semiannual, or annual basis, the number of signed Standard Forms (SF) 312, Classified\n       Information Nondisclosure, for new employees with the actual number of new employees\n       hired by the Department of State. The new controls should be designed to identify, by\n       bureau or office, personnel who have not completed and submitted a signed SF 312.\n       Because of the number of SFs 312 and the manual intensive process in place to compare\n       and reconcile SFs 312, DS should consider implementing an automated process.\n\n       Management Response. In the consolidated reply, DS stated that it \xe2\x80\x9crespectfully\n       disagree[d] with the recommendation based upon the relevant authorities governing the\n       use of non disclosure agreements for the use of classified information.\xe2\x80\x9d Instead, DS\n       stated that the signed acknowledgement (for the rules of behavior) is addressed by the\n       Department\xe2\x80\x99s initial and annual cyber security awareness training. DS requested that the\n       recommendation \xe2\x80\x9cbe removed\xe2\x80\x9d from the management letter.\n\n       OIG Analysis. Based on management\xe2\x80\x99s statement and the documentation it cited\n       describing the internal controls in place to ensure that only authorized individuals are\n       granted access to classified systems, OIG considers this recommendation closed. During\n       the FY 2011 OIG FISMA evaluation, the initial security awareness training program and\n       its supporting documentation will be reviewed.\n\nLack of Evidence for Enterprise-Wide Business Impact Analysis for Primary Mission\nEssential Functions\n\n        The Bureau of Administration, Office of Emergency Management, did not provide\nevidence that an enterprise-wide BIA had been conducted. In February 2008, OMB, through the\nDepartment of Homeland Security (DHS), established Federal Continuity Directive 2 (FCD2),\nFederal Executive Branch Mission Essential Function and Primary Mission Essential Function\nIdentification and Submission Process, which requires all Federal agencies to conduct an\nenterprise-wide BIA to consolidate the agency\xe2\x80\x99s Primary Mission Essential Functions (PMEF)\nunder a single recovery document by prioritizing the functions. The PMEF is essential to\nidentifying critical and essential Department functions that must be performed to support the\nperformance of National Essential Functions before, during, and after an emergency situation\noccurs. Each agency\xe2\x80\x99s PMEF needs to identify critical and primary functions that need to be\nperformed on either a continuous basis or that need to be resumed within 12 hours after a disaster\nor significant event occurs and that must be maintained for up to 30 days or until normal\noperations can be resumed.\n\n                                                3\n\n                                       UNCLASSIFIED\n\x0c                                               UNCLASSIFIED\n\n\n\n\n        The Office of Emergency Management provided copies of the PMEFs but not of the\nsupporting BIAs. Also, although IRM has performed specific BIAs at the application and system\nlevel, IRM did not provide a copy of the enterprise-wide BIA that prioritizes the recovery\nprocesses based on the Department\xe2\x80\x99s assessment of critical communications support needs for\neach of the Department\xe2\x80\x99s mission-essential functions. Therefore, we concluded that the\nDepartment does not have an enterprise-wide BIA.\n\n       Without performing a BIA at the enterprise level in conjunction with the PMEF, the\nDepartment will not meet the requirements set forth in FCD2, which may impact DHS\xe2\x80\x99s efforts\nto develop and implement a recovery program to address the National Essential Functions.4\n\n        Additionally, IRM-documented recovery strategies may not be appropriate and relevant\nto the Department\xe2\x80\x99s missions to ensure that critical and primary functions are recovered within\nthe required timeframes and continued at a temporary recovery backup facility for 30 days, as\nrequired by FCD2.\n\n         Recommendation 2: We recommend that the Bureau of Information Resource\n         Management, in conjunction with the Bureau of Administration, Office of Emergency\n         Management, develop and document a comprehensive enterprise-wide Business Impact\n         Analysis in conformance with Federal Continuity Directive 2, Federal Executive Branch\n         Mission Essential Function and Primary Mission Essential Function Identification and\n         Submission Process.\n\n         Management Response: In the consolidated response, IRM, \xe2\x80\x9cin conjunction with\xe2\x80\x9d the\n         Bureau of Administration, \xe2\x80\x9crespectfully disagree[d]\xe2\x80\x9d with \xe2\x80\x9cthe placement\xe2\x80\x9d of the\n         recommendation in the \xe2\x80\x9cinstant Management Letter based upon the lack of relevance to\n         the controlling authority.\xe2\x80\x9d IRM stated that while the requirements specified in FCD2 are\n         \xe2\x80\x9ccritical and essential, any Department weaknesses associated with implementing those\n         requirements are not directly relevant to implementation of FISMA and its associated\n         authorities.\xe2\x80\x9d\n\n         OIG Analysis: OIG considers this recommendation applicable to FISMA, as resiliency\n         and contingency planning is directly related to information security and OMB\n         specifically asks about the status of BIAs in its annual OIG FISMA metrics. Therefore,\n         OIG considers this recommendation unresolved. This recommendation can be closed\n         pending OIG\xe2\x80\x99s review and acceptance of Office of Emergency Management and IRM\n         documentation for the enterprise-wide BIA for the PMEFs identified, as required by\n         OMB.\n\n\n\n\n4\n These functions are defined as the eight functions the President and national leadership will focus on to lead and\nsustain the Nation during a catastrophic emergency.\n                                                          4\n\n                                               UNCLASSIFIED\n\x0c                                UNCLASSIFIED\n\n\n\n                                                                                   Appendix A\n\n\n\n                                                     United States Department of Statl\n\n                                                     If\'ashing/on, D.C. 20520\n\n\n\n\n                                                   April 21, 2011\n\n\nMEMORANDUM\n\nTO :         OIG/AUD - Mr. Jerry Rainwaters\n\nFROM :       lRM/BMP/SPO/SPD - Robert Glunt         \\\xc2\xab"\nSUBJECT: Response to Draft Management Letter Related to Review of\n         Department of State Tnformation Security Program for FY 2010\n\nlRM would like to extend its appreciation for the opportunity to review and\nprovide comment to the draft Management Letter related to the OIG\'s review of\nthe Department of State Information Security Program for FY 2010.\n\nWhile it is not our intention to provide detailed explanations of implementation\nefforts, lRM and the other Bureaus involved preparing the responses, wish to\narticulate rationale for lheir position on the two recommendations provided .\n\nResponses were coordinated with the Bureau of Diplomatic Security and the\nBureau of Administration. Please consider this a consolidated reply to your\nrequest.\n\nLack of Maintenance of Classified Tnformation Nondisclosure Agreements\n\nRecommendation 1: We recommend that the Bureau of Diplomatic Security (OS)\ndevelop and implement new internal controls to compare and reconcile, on a\nquarterly, semiannual, or annual basis, the number of signed Standard Forms (SF)\n312, Classified Information Nondisclosure, for new employees with the actual\nnumber of new employees hired by the Department of State. The new conlrols\nshould be designed to identify, by bureau or office, personnel who have nol\ncompleted and submitted a signed SF312. Because of number of SFs 312 and the\nmanual intensive process in place to compare and reconcile SFs 312, OS should\nconsider implementing an automaled process.\n\n\n\n                                 UNCLASSIFIED\n\n\n\n\n                                          5\n\n\n                                UNCLASSIFIED\n\x0c                                  UNCLASSIFIED\n\n\n\n\nResponse: The Bureau of Diplomatic Security respectfully disagrees with the\nrecommendation based upon the relevant authorities governing the usc of non\ndisclosure agreements for the usc of classified information .\n\nExecuti vc Order 12968, Access 10 Classified Information, states in Section 3.1 that\n"no cmployee shall be deemed eligible for aeeess to classified information merely\nby reason of Federal service or contracting, licensee, certificate holder, or grantee\nstatus or as a matter of right or privilege, or as a result of any panil;ular tilk, rank,\nposition, or affiliation ." Executive Order 12968 gocs on to say only those\ncmployces granted acccss to classified information must "have signed an approved\nnon disclosure agreement."\n\nExecutive Order 13526, Classified National Security Information, states in Section\n4.1 that only those "who have met the standards for access to classified\ninforma ti on shall receive contemporaneous training on the proper safeguarding of\nclassified inform ation" . The Executive Order defines contemporaneous as a time\nperiod when all three conditions arc satisfied:\n   \xe2\x80\xa2 a favorable determination of eligibility for access has been made by an\n      agency head or the agency head\'s designee;\n   \xe2\x80\xa2 the person has signed an approved nondisclosure agreement; and\n   \xe2\x80\xa2 the person has a need-to-know the information.\n\nThe Foreign Affairs Manual section cited by the OIG\'s Management Letter (e .g.,\n12 FAM 564.1) is consistent with the aforementioned Executive Orders where it\nstates "each new employee is required to read and sign Form SF-312,\nNondisclosure Agreement at the time of entrance on duty and prior to being\nafforded access to national security (classified) information."\n\nAs such, the applicable Executive Orders and the Department\'s implementing\npolicy hoth stand for the proposition that only those individuals granted access to\nclassified information arc required to execute a non-disclosure agreemenl.\n\nThe NIST Special Publication 800-53 cited by the OIG\'s Management Letter is\nmisplaced in that the publication does not apply to national security systems and\nthe cited requirement (e.g., "signed aeknowledgement. .. indicating that they have\nread, understand, and agree to abide by the rules of behavior, before au thorizing\naccess to information and information systems") is addressed by the Department \' s\ninitial and annual cybcr security awareness trajning.\n\nThe Department maintains an up-to-date database of every new cleared employee\nthat has signed an SF-312. Executed SF-312s are entered into a OS data base and\n\n\n                                    UNCLASSIFIED\n\n\n\n\n                                            6\n\n\n                                  UNCLASSIFIED\n\n\x0c                                 UNCLASSIFIED\n\n\n\n\nthe original form is f\'orwarded to HR l\'or inclusion in the individual \'s official\npersonnel file (OPF), in accordance with National Archives Office of Information\nSecurity Oversight guidance.\n\nAccord ingly, the Bureau of Diplomatic Security respectfully requests\nRecommendation 1 be removed from the Management Letter.\n\nLuck of Evidence for Enterprise-Wide Business Impact Analysis for Primary\nMission l:;ssenrial Functions\n\nRecommendation 2: We recommend that the Bureau of Information Resource\nManagement, in conjunction with the Bureau of Administration , Office of\nEmergency Management, develop and document a comprehensive enterprise-wide\nBusiness Impact Analysis (BIA) in conformance with Federal Continuity Directive\n2, Federal Executive Branch Mission Essential Function and Primary Mission\nEssential Function Identification and Submission Process.\n\nResponse: The Bureau of Information Resource Management. in conjunction with\nthe Bureau of Administration respectfully disagree with the placement of\nRecommendation 2 in the instant Management Letter based upon the lack of\nrelevance to the controlling authority.\n\nThe purpose of the Federal Info rmation Security Management Act of 2002\n(rJSMA) is to "provide a comprehensive framework for ensuring the effectiveness\nof information security controls over information resources that support Federal\noperations and assets."\n\nFederal Cont inu ity Directive 2 (FCD2), Federal Executive Branch Mission\nEsselllial Function and Primary Mission Essen tial Function Identification and\nSubmission Process, was established to help agencies identi fy their Mission\nEssential Functions (MEF) and potential Primary Mission Essential Functions\n(PMEF). The Bureau of Administration has completed identifying Mission\nEssential Functions (MEFs) and Primary Mission Essential Functions (PMEFs) as\nrequired by the Inter Agency Board (lAB). Business Impact Analyses (BIAs) have\nbeen completed for the identified Primary Mission Essential Functio ns (PMEFs).\nAll processes have been performed in accordance with Federal Continu it y\nDirective 2 (FCD2).\n\nWhile the requirements specified in the Federal Continuity Directive 2 (FCD2), are\ncritical and essential , any Department weaknesses associated with implementing\nthose requirements are not directly relevant to implementation of FISMA and its\nassociated authorities.\n\n                                   UNCLASSIFIED\n\n\n\n\n                                          7\n\n\n                                 UNCLASSIFIED\n\n\x0c                              UNCLASSIFIED\n\n\n\n\n\nAccordingly, the Bureau of Information Resource Manage ment, in conjunction\nwith the Bureau of Administration, respectfully request Recommendation 2 he\nremoved from the instant Management Letter and be include d in an OIG report that\nis relevant to the subject matter in question.\n\n\n\n\n                                 UN CLASS IFIED\n\n\n\n\n                                        8\n\n\n                              UNCLASSIFIED\n\n\x0cFRAUD, WASTE, ABUSE, OR MISMANAGEMENT\n              of Federal programs\n         and resources hurts everyone.\n\n       Call the Office of Inspector General\n                    HOTLINE\n                   202-647-3320\n                or 1-800-409-9926\n         or e-mail oighotline@state.gov\n      to report illegal or wasteful activities.\n\n              You may also write to\n           Office of Inspector General\n            U.S. Department of State\n              Post Office Box 9778\n              Arlington, VA 22219\n           Please visit our Web site at:\n               http://oig.state.gov\n\n        Cables to the Inspector General\n       should be slugged \xe2\x80\x9cOIG Channel\xe2\x80\x9d\n           to ensure confidentiality.\n\x0c'